Are digital signatures safe?

Published April 27, 2022, 1:55 PM

by MB Technews

By AJ Dumanhug, CEO, Secuna

Digital signatures rose to the forefront of technology in 2020 when the world was forced to work from home. With the enhanced community quarantine in place, signing contracts, confidential documents, and more could no longer be done in person, so we all looked to digital signing.

As companies adjusted to the age of digital documents, cyber-criminals become more adept at discovering vulnerabilities within information systems. They have found methods to breach applications and launch e-signature validations attacks.

The 2021 Annual Data Breach Report records a 68% increase in data breaches in the last year, marking 2021 as the highest year for data breaches ever recorded in history.

Like the Zoom database leak of April 2020, hackers found ways to bypass security, steal more than 500,000 usernames and passwords, and gain access to confidential documents.

In July 2020, researchers from Germany’s Ruhr-Universität Bochum published new attacks on digital signature systems for PDF, which they called “shadow attacks.” Attackers create an extra layer of document on top of the expected PDF file of the signing entity. Once signed, the attacker modifies it and sends it to the relying party, validating the digital signature but seeing different content than the signer.

The experts also demonstrated in the previous year that most PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed e-documents without invalidating their signature.

The list of vulnerable applications includes some of the popular PDF readers like Adobe Reader, LibreOffice, Master PDF Editor, Nitro Reader, and Soda PDF. Meanwhile, the list of affected validation services includes the digital signature and digital transactions company DocuSign, which ranked No. 4 in Forbes’ 2017 Cloud 100 list.

The findings were reported to impacted vendors while the researchers proposed new mitigation types to prevent these types of attacks.

The vulnerabilities identified in these applications and services highlight the need to adopt best practices in validating digital signatures. In the Philippines, digital signature company Twala tightens its security posture by tapping the DICT-recognized cybersecurity testing platform Secuna to make sure its app is secure from all possible data breaches.

Twala is compliant with the Philippines’ E-Commerce Act and Supreme Court’s Rules on Digital Evidence. They are also legally accepted in other jurisdictions such as the US, EU, ASEAN, etc. However, to meet regulatory security requirements in the Data Privacy Act of 2012 and fend off cyberattacks, Twala needed to go beyond the traditional penetration testing and provide a real-world simulation of threats.

Forty-seven security vulnerabilities were identified and fixed after the vulnerability assessment and penetration testing (VAPT). Eight of these vulnerabilities were rated from High to Critical using CVSS 3.1, an industry-standard scoring system.

Secuna’s certified penetration testers used the OWASP Web Security Testing Guide and Mobile Security Testing Guide to conduct extensive testing of their website app, mobile app, and API to identify security vulnerabilities.

Targeted penetration testing for Twala’s blockchain digital signature and ID verification services eliminates further security risks associated with digital signature exposure while keeping applications safe from cyber security breaches.

Abiding by the best security practices and keeping tabs on the most common vulnerabilities should be a core responsibility for cybersecurity testers. It entails developing a detailed technical report and a highly collaborative vulnerability remediation approach.

It’s simple: Preparation is vital. Outdated approaches to vulnerability assessment and penetration testing are no longer practical. As cyber-attacks get more sophisticated, organizations should have more detailed views of threats facing their applications to protect our digitally signed documents from malicious attacks.